The Ransomware Removal Handbook: Dealing with common strains of ransomware

As the WannaCry ransomware spreads quickly across the globe, infecting tens of computers and systems in its wake, it’s clear that ransomware is now a big, big problem for businesses and individuals alike. Osterman Research, Inc., published a Malwarebytes-sponsored survey in 2016 which found that 39 percent of organizations suffered a ransomware attack in the previous 12 months. Additionally, US companies were the most likely to suffer from such an attack, and from cyber attacks of all kinds in general. A Ponemon Institute survey also indicates that ransomware attacks increased by 300 percent from 2015 to 2016.

Ransomware can be expensive as well. The aforementioned Ponemon Institute survey also found that the average attack cost businesses $2,500. This does not include the negative impact on opportunity costs, which online backup company Carbonite says is seen in the fact that 33 percent of companies eventually invest in new cybersecurity following an incident. Meanwhile, 32 percent of businesses lost customers following an event, and 32 percent experienced significant downtime. Other surveys, such as one conducted by IBM, find that most businesses are willing to pay the cyber criminals to release their data, with many willing to cough up big time for certain types of data. Some businesses are willing to pay upwards of $50,000 to release their valuable data.

These numbers, of course, do not include all types of cyber threats and breaches. Most organizations will eventually experience a cyber security breach of some kind, with cyber criminals increasingly turning to ransomware attacks as their preferred method. And since most cyber criminals behind these attacks request payment in the secure and anonymous payment method Bitcoin, most can get away with the crime.

With the growing concern over ransomware, here are some helpful tips on removing ransomware, decrypting files, and ways to help prevent getting infected. Our guide provides a detailed explanation of what ransomware is, the types of ransomware that exist, and places special attention on how to remove ransomware without causing harm to your computer. We focus on practical methods that you can employ that emphasize removal over paying the ransom, which we strongly discourage.

How does ransomware work?

Ransomware is like other malware, with an added bit of extortion

That’s an admittedly oversimplified statement, but it’s an essential truth about ransomware. All ransomware is malware. Ransomware penetrates computer systems in the same manner that other viruses will do as well. You might download it from a suspicious email file. You might load it onto your machine from a USB flash drive. You might accidentally download it after going to a less-than-reputable website.

Once on your system, the ransomware shuts down almost every system function in sometimes overblown and flashy ways, and in the case of Windows machines, it usually disables your ability to access the start menu (that way you can’t access antivirus programs or try to revert to Safe Mode). Until you clear the virus from your machine and pay the demanded ransom, you won’t have access to any files on your system. Some ransomware will even demand that you pay up within a certain amount of time, or else the files will stay locked forever or the virus completely wipe your hard drive.

Whichever method that the program uses to penetrate your system, ransomware is designed to hide itself by pretending to be something it’s not, even changing file names or paths to make your computer and antivirus software think that it’s not a suspicious file. The key difference between ransomware and other forms of malware is that the purpose of ransomware extends beyond just mischief or stealthily stealing personal information.

If anything, ransomware acts more like a bull in a china shop once it’s effectively found its way onto your system. Unlike many other viruses, which are often designed around stealth both before and after invading your system, ransomware designers want you to know the program is there. After the program is installed, it completely takes over your system in such a way that you’ll be forced to pay attention to it. It’s a very different modus operandi than viruses designers have traditionally followed, and it appears to be the most effective money-making virus design to date.

Ransomware works through fear, intimidation, shame, and guilt

Ransomware is like the most toxic relationship you’ve ever been in. Once the program is there, it begins a negative campaign of emotional manipulation to get you to pay the ransom. Far too often those fear tactics work, especially on individuals who don’t realize that there are alternatives to paying up. Still, many people who end up paying are solitary workers within a company who, for the guilt and shame of it, cough up the cash out of an understandable fear of losing their job or getting a significant reprimand from managers.

Types of ransomware

Although the most common type of ransomware you’ll find today is based on the more modern (but not defunct) Cryptolocker trojan, ransomware has been around since the 1980s. Many of these viruses are rare nowadays. File-encryptingransomware is increasingly the most common type. However, according to Malwarebytes, there are several categories of ransomware that you may still encounter:

Encrypting ransomware

If ransomware finds its way onto your machine, it’s likely going to be of the encrypting variety. Encrypting ransomware is quickly becoming the most common type due to a high return on investment for the cyber criminals using it, and how difficult it is to crack the encryption or remove the malware. Encrypting ransomware will completely encrypt the files on your system and disallow you access until you’ve paid a ransom, typically in Bitcoins. Some of these programs are also time sensitive and will start deleting files until the ransom is paid, increasing the feeling of urgency to pay up.

On this type of ransomware, Adam Kujawa, Head of Intelligence at Malwarebytes, had this to say: “It’s too late once you get infected. Game over.”

Scareware

Source: College of St. Scholastica

Scareware is malware that attempts to persuade you that you have a computer virus that needs removal right away. It will then try to get you to clear the virus by buying a suspicious and typically fake malware or virus removal program.

Scareware is highly uncommon now. Although it was the most common form some years ago, those who created and spread scareware were effectively shut down by a joint effort between law enforcement agencies, security companies, and online payment merchants. Some of these viruses do still exist out in the wild, however, with many that target mobile phones.

Screen locker (or lock-screen viruses)

Screen lockers will put up a warning screen that limits your ability to access computer functions and files. These can be installed onto your machine or exist within a web browser. They’ll typically come with a message claiming to represent a law enforcement organization and carry a message saying you’ll face severe legal consequences if you do not pay a fine immediately.

You might end up downloading a lock-screen virus in a number of different ways, including visiting compromised websites or by clicking on and downloading an infected file contained in an email.

When installed directly onto a computer, you may have to perform a hard restart to restart your computer, although you may also find that you’re still greeted with the screen lock message even when the operating system loads up again.

As scareware and screen-locking software can be removed in the same manner, we’ll start with and combine these two.

First, know that scareware does not encrypt files, although it may attempt to block your access to some programs (such as virus scanners and removers). Nevertheless, scareware is the easiest to get rid of. In fact, in most cases, you can remove scareware using standard virus removal programs or other methods without even entering Safe Mode (although this may still be necessary or recommended).

Screen lockers are far more troublesome to remove than scareware but are not as much of a problem as file encrypting ransomware. Screen lockers tend to lock you out of your menu, and other system settings but don’t completely remove access to your files. This means some of the malware’s primary attack methods prevent you from easily accessing your virus removal software and at times may even prevent you from restarting your computer from the user interface.

However, scareware and lock-screen viruses are not perfect and can be easily removed at little to no cost.

Screen lockers are a good reason, among many others, why having online backup is extremely important. While the screen locker won’t encrypt or delete your files, you may find yourself forced to perform a system restore. The system restore may not delete your important files, but it will return them to an earlier state. Depending on the restored states, that may still result in a lot of lost data or progress. Regular online backups will help prevent data loss that performing a system restore does not guarantee, especially if the virus has been hiding on your system for much longer than you realized.

Option 1: Perform a full system scan using a reputable on-demand malware cleaner

This is a fairly simple process. We recommend one of several potential on-demand malware cleaners for this, such as Zemana Anti-Malware or even the built-in Windows Defender tool for Windows users.

To perform the full system scan using Zemana Anti-Malware, do the following:

Open your Zemana Anti-Malware home screen

Click on the Gear Symbol on the top right to access settings

Click on Scan on the left

Select Create Restore Point

Return to the home screen and click onthe green Scan button on the bottom right

Setting the restore point is a good best practice for virus scans in general. Meanwhile, your virus scan might tag some things as problems that aren’t problems (Chrome extensions often come up as problematic, for example), while you could find areas of concern that you weren’t expecting. In my case, a recent Zemana system scan revealed a potential DNS hijack. Yikes! (It also misclassified a few programs as malware and adware, so be careful make sure to check which files you’re cleaning and quarantining properly.)

To perform a full system scan using Windows Defender, do the following:

Perform a quick system search for “Windows Defender”

Access Windows Defender and select Full on the right side

Click on Scan

Microsoft continually improves its built-in Windows antivirus software, but it’s not as good a solution as an on-demand option like Zemana or many other high-quality programs. You may be inclined to run Windows Defender as well as Zemana Anti-Malware or whichever other on-demand malware removal program you choose, which may be a good option to cover your bases. Generally, you can’t run these programs concurrently, so you’ll need to run one after the other, in whichever order you choose. What one doesn’t catch, the other might.

Option 2: Perform a system restore to a point before the scareware or screen locker began popping up messages. Both can have delayed reactions at times, so it’s a good idea to perform the virus scan alongside the system restore

This option assumes that you have your computer set to create system restore points at preset intervals, or that you’ve performed this action yourself individually. If you’re accessing this guide as a preventative measure against ransomware, creating restore points from this point forward will be a good idea.

Here’s how to find your restore points or set new restore points in Windows:

Access your Control Panel (you can do this through a system search for “Control Panel”)

Click on System and Security

Click on System

Go to Advanced system settings

Click on the System Protection and click on System Restore

If you have never run a system backup, click on Set up backup. This will open up the backup operations and get you started. Once there, you’ll need to pick your backup location, the files you want to be backed-up (or you can let Windows select those for you), schedule when you want your backups to occur, and then perform the backup

If it shows that you already have a backup in place, select the backup files from the most recent restore point or from whichever restore point you desire

The backup restoration process may take several minutes, especially if the amount of data being restored is significant. However, this should restore your file system to a point before the virus was downloaded and installed.

Additional Note:

Especially when dealing with screen-locking ransomware, you may need to enter Safe Mode to get the on-demand virus removers to work or to run your system restore properly. Even some scareware can at times prevent you from opening your virus removal programs, but they usually can’t prevent you from doing so while you’re in Safe Mode.

If you’re having trouble getting your computer to restart into Safe Mode (a distinct possibility if you have a screen locker), check out our guide on How to Start Windows in Safe Mode.

Indiana University also provides a helpful knowledgebase with a few more advanced methods for more troublesome scareware. Click here to read their advanced scareware removal methods.

Ransomware removal: How to remove file encrypting ransomware

For this, we’ll refer back to Malwarebytes’ Adam Kujawa. Once the encrypted ransomware gets onto your system, it really is “game over,” to the extent that you’re in trouble if you want to keep any unsaved or not backed-up data (at least without paying through the nose for it). Surprisingly, many cyber criminals are fairly honorable when it comes to releasing the encryption after they’ve received payment. After all, if they never did, people wouldn’t pay the ransom. Still, there is a chance that you could pay the ransom and find your files never released, or have the criminals ask for more money.

However, if you are hit with a nasty piece of encrypting ransomware, do not panic. Alongside that, do not pay the ransom. If you’re infected with file encrypting ransomware, here’s what you’ll need to do:

Step 1: Run an antivirus or malware remover to get rid of the encryption virus

Refer back to the malware/virus removal instructions provided in the Scareware/Screen Locker section. The removal process in this step will be the same, with one exception: WE STRONGLY ENCOURAGE YOU TO REMOVE THIS VIRUS IN SAFE MODE WITHOUT NETWORKING. There is a chance that the file-encrypting ransomware you’ve contracted has also compromised your network connection. Cut off the hackers’ access to the data feed when removing the virus. (*Note: this may not be wise if you’re dealing with a few variants of the WannaCry ransomware, which check against a gibberish website to identify a potential killswitch. If those sites are registered (which they are now), the ransomware halts encryption. This situation is highly uncommon, however).

Removing the malware is an important first step to deal with this problem. Many reliable programs will do in this case. However, not every antivirus program will do the job. Some are not designed to remove the type of malware that encrypts files. It is recommended that you verify the malware removal program you intend to use can effectively remove the virus. You can do this either by perusing the website for that program or, by directly contacting that company’s customer support and inquiring with a representative.

The real problem you will find is that your files will stay encrypted even after you remove the virus. Nevertheless, this step will at least rid you of the virus that did the encryption in the first place, as well as keep it from re-encrypting files.

Trying to decrypt files without removing the malware first may result in the files getting re-encrypted.This includes paying for the ransom before removing the malware.

Again, you should be doing everything you can to avoid paying a ransom. Your next step is going to be to try a ransomware decryption tool. Note, however, that there is no guarantee that there will be a ransomware decryption tool that will work with your specific malware. This is because you may have a variant that has yet to be cracked.

Kaspersky Labs and several other security companies operate a website called No More Ransom! where anyone can download and install ransomware decryptors. Kaspersky also offers free ransomware decryptors on its website.

You have a few options even here. First, we suggest you click here and use the No More Ransom Crypto Sheriff. This is the site’s tool to assess what type of ransomware you have and whether a decryptor currently exists to help decrypt your files. It works like this:

Select and upload two encrypted files from your PC

Provide a website or email address given in the ransom demand (e.g., where the ransomware directing you to go to pay the ransom)

If no email address or website is given, upload the .txt or .html file with the ransom note

The Crypto Sheriff will process that information against its database to determine if a solution exists. If no suggestion is offered, do not give up just yet, however. One of the decryptors may still work, although you may have to download each and every one. This will be an admittedly slow and arduous process, but again, it’s going to be less costly than paying the ransom, even if the files are not decrypted.

The following decryptor tools may be able to decrypt your ransomware. Click here for more information on which ransomware variant each tool will remove:

The number of available decryptors is liable to change, so we encourage you to check the No More Ransom! website if you believe you have a file encrypting ransomware that’s not listed here.

Running the file decryptors is actually pretty easy. Most of the decryptors come with a how-to guide from the tool’s developer (mostly EmsiSoft, Kaspersky Labs, Check Point, or Trend Micro). Each process may be slightly different, so you’ll want to read the PDF how-to guide for each one where available.

Here’s an example of the process you’d take to decrypt the Philadelphia ransomware:

Choose one encrypted file on your system and a version of that file that’s currently unencrypted. Place these two files in their own folder on your computer

Select the file pair and then drag and drop the files onto the decryptor executable. The decryptor will then begin to determine the correct keys needed to decrypt the file

This process may take quite a lot of time, depending on the complexity of the program

Once completed, you will receive the decryption key for all files encrypted by the ransomware

The decryptor will then ask you to accept a license agreement and provide you the options for which drives to decrypt files from. You can change the location depending on where the files are currently housed, as well as some other options that may be necessary, depending on the type of ransomware. One of those options usually includes the ability to keep the encrypted files

You will get a message in the decryptor UI once the files have been decrypted

Again, this process may not work, as you may have ransomware for which no decryptor is available. As many individuals who do get infected simply pay the ransom without looking into removal methods, many of these ransomware are still used, despite having been cracked.

Backup option: Wipe your system and perform a complete data restoration from a data backup

Steps 1 and 2 only work when used together. If either fails to work for you, you’ll need to follow this step.

Hopefully, you have a solid and reliable data backup already in place. If so, don’t give in to the temptation to pay the ransom. If you’re an employee working for a company and you’re afraid you may face consequences for falling prey to ransomware, please know that you’re more likely to face more severe consequences for paying the ransom.

Instead, either personally or have an IT professional (preferably this option) wipe your system and restore your files through your online or physical backup system. This is also a reason why bare-metal backup and restoration is important. There’s a good chance your IT professional may need to perform the complete bare-metal restoration for you.

Windows users may also need to consider a complete system reset to factory settings. Microsoft provides an explanation for multiple system and file restoration methods and options. Click here to access the Windows page on Ransomware.

Last-ditch effort: Utilize a professional service to recover your data

If you have no data backup, you may be able to acquire assistance from a professional ransomware removal service.

Most company-employed IT professionals do not have the capacity to clear encrypting ransomware. However, some companies do exist that specialize in just this type of virus removal. Note, however, that their services are always expensive, to the tune of hundreds or even thousands of dollars. Determine the value of the data you’re going to lose when deciding whether or not to use such a service. Also, note that they cannot always guarantee success. You may have to deal with the data loss if they are unable to recover your data.

Depending on the company you hire, you may or may not have to still pay for the removal service, although many security companies won’t charge if they can’t recover any of your information.

The best offense is a good defense

Know this first: Decrypting ransomware is incredibly difficult.

Most ransomware these days will use AES or RSA encryption methods, both of which can be incredibly difficult to crack. To put it in perspective, the US government also uses AES encryption standards. Information on how to create this kind of encryption is widely known, as is the difficulty in cracking it. Until someone realizes the dream of quantum computing, brute force cracking for AES is effectively impossible for the time being.

This being the case, the best method to fight ransomware is never allowing it to get onto your system in the first place. Protection can be accomplished by shoring up weak areas and changing behaviors that typically allow ransomware to get onto your system.

Invest in solid data backup. This is hard to understate. Data backup is the single best thing you can do. Even if you do get hit by ransomware, having effective and consistent data backup means your data will be safe, regardless of which type of ransomware you get.

Invest in effective antivirus software. In this case, you don’t just want malware or virus cleaners, but software that will actively monitor and alert you to threats, including inside of web browsers. That way, you’ll get notifications for suspicious links, or get redirected away from malicious websites where ransomware may be housed.

Never click on suspicious email links. Most ransomware spreads through email. When you make it a habit of never clicking on suspicious links, you significantly lower your risk of downloading ransomware or other viruses for that matter.

Protect network-connected computers. Some ransomware works by actively scanning networks and accessing any connected computers that allow remote access. Make sure any computers on your network have remote access disabled or utilize strong protection methods to avoid easy access.

What to do if you catch ransomware mid-encryption

If you’re lucky, you may be able to catch ransomware mid-encryption. This takes a keen eye and knowing what unusually large amounts of activity look and sound like on your computer.

Ransomware encryption will happen in the background, so it’s almost impossible to detect this actually occurring unless you’re specifically looking for it. Additionally, the virus doing the encryption will likely be hiding inside of another program, or have an altered file name that is made to look innocuous, so you might not be able to tell which program is performing the action.

However, should you discover what you think is a ransomware virus encrypting files, here are a few options:

Place your computer into hibernation

This will stop any processes that are running and create a quick memory image of your computer and files. Do not restart your computer or take it out of hibernation. In this mode, a computer specialist (either from your IT department or a hired security company) can mount the device to another computer in a read-only mode and assess the situation. That includes the recovery of unencrypted files.

Suspend the encryption operation

If you can identify which operation is the culprit, you may want to suspend that operation.

In Windows, this involves opening up the task manager (CTRL+ALT+DEL) and looking for suspicious operations. In particular, look for operations that appear to be doing a lot of writing to the system.

You can suspend operations from there. It’s better to suspend the operation instead of killing it, as this allows you to investigate the process in more detail to see what it’s actually up to. That way you can better determine whether you have ransomware on your hands.

If you do find that it’s ransomware, check which files the process has been focusing on. You may find it in the process of encrypting certain files. You can copy these files before the encryption process has finished and move them to a secure location.

You can find some other great suggestions by security and computer professionals on Stack Exchange.

The danger of ransomware is very real

Hackers are turning to ransomware over other types of cyber attacks because it’s a low-risk, high-gain venture with an almost ludicrously impressive conversion rate. In fact, the 2016 IBM survey mentioned above also discovered that 70 percent of businesses hit with ransomware choose to pay the ransom.

Interestingly, that number contrasts with the Osterman Research survey findings, which indicated only 40 percent of corporate victims paid. The differences in these numbers may be that the Osterman Research data includes only enterprises, while the IBM data includes small and medium-sized businesses, hinting at the fact that small and medium-sized businesses are more likely to pay. The fear of losing valuable data is often enough to cause companies to give in to the strong arm demands.

Understandably so, as well. In a review of malware removal software programs for Windows, I tested a real piece of ransomware in a closed environment. It changed my operating system in such a sinister way that I can only imagine how frantically someone with less technical experience and in a real-world situation might react.

It’s hard to blame anyone for giving into the fear tactics used by ransomware creators. Ransomware is quite often more than just smoke and mirrors. It will shut down your system, and it will result in the ransomware locking your valuable data behind encryption so advanced that many businesses and companies opt to pay up rather than risk losing it all. In many cases, the ransomware will indeed delete your files if you don’t pay up.

Common encrypting ransomware variants

As with most viruses, there are different families and variants that exist. As for ransomware, there are currently more than 200 families and numerous variants within each family. Perhaps the most successful malware variant, Cryptowall, was able to extort $325 million from individuals and businesses the world over in just one year (2015).

Cyber security company datto provides a succinct list of the most common ransomware you may encounter, as well as the programs or areas of your computer they target:

Cryptolocker:Although the original has been shut down since 2014, there are still variants that one may encounter. Spreads through email and encrypts drive files using asymmetric encryption. Cryptolocker is considered the program that popularized the use of ransomware in its modern form and has been widely copied. According to datto, 95 percent of ransomware attacks in 2016 were from Cryptolocker or its variants going by the same name or using the same methodology.

CTB-Locker: Primarily spread through email to infect machines. CTB-Locker is “malware as a service”, sourced out to smaller-scale criminal operations for a cut of the profits.

Jigsaw: Jigsaw will encrypt and then delete files progressively until the ransom is paid. After 72 hours, all files will be deleted.

KeRanger: Located on BitTorrent, KeRanger is the first known ransomware that is fully functional on Mac OS X.

LeChiffre: Named for the Bond villain in Casino Royale who kidnaps bond’s love interest to extort money, this program takes advantage of poorly secured remote computers on accessible networks. LeChiffre then logs in and runs manually on those systems.

Locky:Locky invades systems as a fake emailed invoice file. Once opened, it requests a macro to run, which then results in the encryption process.

TorrentLocker:This ransomware utilizes spam emails to spread, with different geographic regions targeted at a time. It also copies email addresses from the affected users’ address book and spams itself out to those parties as well.

WannaCry: Spread through phishing emails and over networked systems. Uniquely, WannaCry uses a stolen NSA backdoor to infect systems, as well as another vulnerability in Windows that was patched over a month before the release of the malware.

ZCryptor: This worm-like ransomware also infects external hard drives and flash drives attached to the machine.

While this list is not exhaustive, it represents the most common and most virulent ransomware you may encounter.

Ransomware can encrypt any type of file

It’s important to note that, for the most part, no file on your system is safe from ransomware. Any file can be encrypted, although most ransomware won’t attempt to encrypt all types of files. For example, entire programs are rarely encrypted, although the files that run those programs or the files those programs create often are.

Common targets include image files, PDFs, and any type of file created by Microsoft Office (such as Excel and Word files). The common method ransomware will use is to search files on common drives, such as C:, D:, E: or F:, and encrypt any or most files it finds there. Some newer encrypting ransomware have even taken to encrypting network shared files as well, a dangerous development for businesses in particular.

Special note on WannaCry (including a fix for those infected)

Update, 5/22/2017: If you’ve been infected by the WannaCry virus, there’s a chance a decrpytion tool exists to help you get rid of it and save your files. Before you apply any of these tools, make sure that you follow the guide above to remove the ransomware virus first to prevent re-encryption of your files.

There are limitations for both of these tools. These tools will only work with the following Windows operating systems: Windows XP, Vista, 7, Server 2003, and Server 2008.

Additionally, These decryption tools are not as easy to use as the No More Ransom! tools listed above. You can find a guide by Matt Suiche of Comae Technologies on how to use the WanaKiwi tool effectively.

You can also find a helpful video guide for WanaWiki by clicking here.

Petya (NotPetya or SortaPetya) Ransomware Quick Fix

A new “patch” was also discovered and posted to the security blog Bleeping Computer that can provide limited protection against the Petya (NotPetya or SortaPetya) ransomware. Similar to WannaCry, the virus looks for a file and if it finds it, stops encryption. In the case of WannaCry, that was a specific web address. For Petya, it’s a file located on the host computer.

You can trick Petya into stopping encryption by creating this file yourself. Here’s how.

After opening the .exe file, you will see a DOS screen that prompts you to hit enter. Follow the instructions to run the program.

Note that this process is designed to work on Windows 7. At present, Windows 10 may not vulnerable to this ransomware. The executable file will only work on Windows 7.

If you need to do this process manually for any reason, check out the blog post on Bleeping Computer, which provides a step-by-step guide on how to create the file manually.

If you get infected by the Petya virus, this process should stop the virus from encrypting your files. Note that this process will not remove the virus.

More on WannaCry

There’s a good chance you’ve heard about WannaCry. This encrypting ransomware is unique for several reasons. First, it’s quickly become the fastest spreading ransomware in the history of ransomware. Between its release on Friday, May 12th to this time of writing (May 17, 2017), the malware has infected over 200,000 computers and systems.

Generally speaking, WannaCry is not particularly unique, so much that it has infected some very big names and important governmental agencies across the world, and used a stolen National Security Agency (NSA) exploit tool to do it. The stolen NSA tool is part of the reason WannaCry has been so successful in spreading.

Compounding the issue is the fact that many agencies and businesses were slow to roll out the proper Windows patch that would have prevented this exploit in the first place. Microsoft pushed that patch in mid-March. Businesses and other organizations had well over a month to apply it, but many never did.

Interestingly, the first variant of WannaCry was thwarted by a cyber security researcher and blogger who, while reading the code, discovered a kill switch written into the malware. WannaCry’s first variant checks to see if a certain website exists or not. If the website doesn’t exist, WannaCry continues to encrypt the infected computer’s files and spread itself over the local network and across the internet. However, if the website exists, WannaCry’s virus halts the encryption process.

The security blogger decided to go ahead and register the site for around $10, which significantly slowed the spread of the virus. However, WannaCry’s creators were quick to roll out new variants (one of which had another website kill switch that was soon used to stop that variant). In a move of solidarity with the fight against ransomware, the 22-year old security professional and blogger also decided to donate his $10,000 reward to charity.

Despite its widespread impact, WannaCry’s success has been somewhat muted. Whether due to better education on ransomware or failings in the virus, by Monday, May 15, WannaCry had only managed to convince around 220 individuals and companies to cough up the $300 – $600 in ransom, netting under $60,000 in Bitcoin.

Nevertheless, that’s $60,000 more than the cyber criminals had before. Security companies and the rest of the world are continuing to watch WannaCry closely—including unconfirmed reports that North Korea may be behind the attack—as it is slowly becoming the most noteworthy and headline-grabbing ransomware to date.